Skip to content

Commit c862ad9

Browse files
reedlodenreedloden
committed
Sync with GitHub Security Advisories
* Add active_attr/CVE-2021-4250 * Update CVSSv3 for text_helpers/CVE-2020-36624
1 parent 7da3738 commit c862ad9

File tree

2 files changed

+34
-7
lines changed

2 files changed

+34
-7
lines changed

gems/active_attr/CVE-2021-4250.yml

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
---
2+
gem: active_attr
3+
cve: 2021-4250
4+
ghsa: 4whf-rmx5-8frv
5+
url: https://github.com/cgriego/active_attr/issues/184
6+
title: active_attr Improper Resource Shutdown or Release vulnerability
7+
date: 2022-12-19
8+
description: |
9+
A vulnerability classified as problematic has been found in cgriego active_attr
10+
up to 0.15.3. This affects the function call of the file
11+
lib/active_attr/typecasting/boolean_typecaster.rb of the component Regex Handler.
12+
The manipulation of the argument value leads to denial of service. The exploit
13+
has been disclosed to the public and may be used. Upgrading to version 0.15.4 can
14+
address this issue. The name of the patch is dab95e5843b01525444b82bd7b336ef1d79377df.
15+
It is recommended to upgrade the affected component. The associated identifier of
16+
this vulnerability is VDB-216207.
17+
cvss_v3: 3.5
18+
patched_versions:
19+
- ">= 0.15.4"
20+
related:
21+
url:
22+
- https://github.com/cgriego/active_attr/pull/185
23+
- https://github.com/cgriego/active_attr/commit/dab95e5843b01525444b82bd7b336ef1d79377df
24+
- https://github.com/cgriego/active_attr/releases/tag/v0.15.4
25+
- https://vuldb.com/?id.216207

gems/text_helpers/CVE-2020-36624.yml

Lines changed: 9 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -5,13 +5,15 @@ ghsa: 74hc-57m5-83ch
55
url: https://github.com/ahorner/text-helpers/pull/19
66
title: text_helpers uses web link to untrusted target with window.opener access
77
date: 2022-12-22
8-
description: A vulnerability was found in ahorner text-helpers 1.1.0/1.1.1. It has
9-
been declared as critical. This vulnerability affects unknown code of the file lib/text_helpers/translation.rb.
10-
The manipulation of the argument link leads to use of web link to untrusted target
11-
with window.opener access. The attack can be initiated remotely. Upgrading to version
12-
1.2.0 can address this issue. The name of the patch is 184b60ded0e43c985788582aca2d1e746f9405a3.
13-
It is recommended to upgrade the affected component. The identifier of this vulnerability
14-
is VDB-216520.
8+
description: |
9+
A vulnerability was found in ahorner text-helpers 1.1.0/1.1.1. It has
10+
been declared as critical. This vulnerability affects unknown code of the file
11+
lib/text_helpers/translation.rb. The manipulation of the argument link leads to
12+
use of web link to untrusted target with window.opener access. The attack can be
13+
initiated remotely. Upgrading to version 1.2.0 can address this issue. The name
14+
of the patch is 184b60ded0e43c985788582aca2d1e746f9405a3. It is recommended to
15+
upgrade the affected component. The identifier of this vulnerability is VDB-216520.
16+
cvss_v3: 6.1
1517
unaffected_versions:
1618
- "< 1.1.0"
1719
patched_versions:

0 commit comments

Comments
 (0)